About the SAS Federation Server Accounts
Overview
SAS Federation Server uses
the following accounts for administration, authentication and data
authorization:
-
The system user account is the most privileged account for SAS Federation Server. User account sasfedadm on SAS Metadata Server.
-
An administrator account is a user account created in SAS Metadata Server, and then granted ADMINISTER privilege on SAS Federation Server.
-
The SAS Trusted User account establishes a trust relationship between the SAS Federation Server and the SAS Metadata Server. The trusted user account is used to retrieve shared login passwords on behalf of authorized users.
SAS Federation Server Accounts
The SAS Federation Server System User Account
About the System User Account
The SYSTEM user is a
privileged account which means that it carries more privileges than
an administrator account. There is nothing on SAS Federation Server
that the system account cannot do because the account has implicit
privileges to all user and data objects.
A SAS Federation Server
System User Account, sasfedadm, is created
during installation of SAS Federation Server. This
account is a member of the Federation Server Administrators group.
Activities Associated with the System User
The system user should
identify users who will be administrators of SAS Federation Server,
and grant them administrative privileges. There are two ways to grant
users administrative privileges:
-
Add the user to the SAS Federation Server Administrators group. This group has the administer privilege already assigned.
-
Grant the user ADMINISTER privilege on the server object using administration DDL.
Like SYSTEM users, administrators are unconditionally
and implicitly granted all privileges on SAS Federation Server.
However, if these users are revoked their ADMINISTER privilege, then
they become standard users that can have privileges granted or denied.
A SYSTEM user can never be denied privileges.
If a Data Source Name (DSN) is created by either the system user or an administrator, the DSN is created using
the AS ADMINISTRATOR clause, which means that the ADMINISTRATOR role owns the DSN,
not the individual creating it. Therefore, if the administrator user is later removed
from the system, the DSN will not be deleted with the user.
Use the system user
account to define one or more administrators for SAS Federation Server.
As a best practice, all configuration and administration should be
performed by the administrator.
The Administrator Account and Federation Server Administrators Group
About the Administrator Account
An administrator account
is a user account created in SAS Metadata Server,
and then granted ADMINISTER privilege on the SAS Federation Server.
Administrators have
implicit privileges to perform every other action including the following:
-
create and drop data source names (DSN)
-
grant and deny privileges to other accounts
-
create and drop data services, catalogs, and schemas
You can assign administrators by adding users to
the Federation Server Administrators Group on SAS Metadata Server,
or by granting the ADMINISTER privilege using the GRANT statement.
However, only a system user can invoke the GRANT ADMINISTER DDL statement.
Adding a User to the Federation Server Administrators Group
With the addition of
SAS Metadata Server in 4.2, you can grant users administrator privileges
by adding them to the Federation Server Administrators group. Use
the following procedure to designate a user as an administrator of
SAS Federation Server.
-
Using SAS Management Console, navigate to the Federation Server Administrators group by selecting Environment Management
User Manager and select the Federation
Server Administrators group in the right pane.
-
Open Federation Server Administrators Properties and select the Members tab.
-
Select a user from Available Identities and click the arrow to move the user object to Current Members of the Federation Server Administrators group.Federation Server Administration Properties
-
Click OK when you are finished adding users.
Setting the ADMINISTER Privilege Using DDL
Only system users can
grant the ADMINISTER privilege using DDL. To define a user as an administrator
for SAS Federation Server, grant the ADMINISTER privilege
to their account using the following syntax:
GRANT serverpriv ON servername TO "user-ID"
The example below grants
the ADMINISTER privilege to the user1 account
on federation server, FedServer1:
GRANT administer ON FedServer1 TO "user1"
For further details,
reference the GRANT and DENY DDL statements .
The SAS Trusted User Account
About the Trusted User Account
The SAS
Trusted User Account account, sastrust@saspw,
is created during installation of SAS Federation Server.
A trust relationship is required for certain features, such as definer's
rights views.
Here are a few key
items about the trusted user account:
-
A trusted user is a user ID that has to be able to authenticate using the authentication method that is deployed for the installation.
-
SAS Federation Server uses the trusted user account to connect to SAS Metadata Server in certain scenarios like definers rights views. This account is never used to log on to a server or application.
-
The trusted user should not be a system user or administrator for SAS Metadata Server or SAS Federation Server.
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: March 6, 2018